LeftoverLocals – CVE-2023-4969: The Hidden Threat in Your GPU

In the fast-paced world of high-performance computing and artificial intelligence, GPUs have emerged as indispensable powerhouses. But beneath the surface of their impressive capabilities, a vulnerability lurks, threatening the very core of data security. This vulnerability, known as LeftoverLocals, is a critical issue discovered by Trail of Bits researchers in general-purpose graphics processing units (GPGPUs) across leading manufacturers like AMD, Apple, and Qualcomm.

GPUs, initially designed for rendering graphics, have evolved into essential components for AI/ML and scientific computing. Their ability to handle massive parallelism and high memory bandwidth makes them ideal for tasks involving intense numerical computations. However, this strength also brings a vulnerability to light.

The crux of the LeftoverLocals vulnerability lies in the inadequate isolation of process memory in GPGPU platforms. An attacker, armed with access to the GPU’s programmable interface, can exploit this flaw to read memory meant to be isolated from other users and processes. This breach is not just theoretical but has been observed in local memory, a software-managed cache in the GPUs.

Trail of Bits researchers, spearheaded by Tyler Sorenson, have identified this flaw, tracked as CVE-2023-4969. This vulnerability is not merely a glitch but a serious concern, especially considering that most deep neural network (DNN) computations heavily rely on local memory. The implications are vast, potentially impacting ML implementations across embedded and datacenter domains.

What sets LeftoverLocals apart is its presence across various programming interfaces, such as Metal, Vulkan, and OpenCL. It spans a range of operating systems and drivers, making it a complex issue to address. Interestingly, during their extensive testing, Trail of Bits did not observe this issue on NVIDIA devices.

The discovery of LeftoverLocals sends ripples across the GPU marketplace, highlighting a complex software supply chain. Addressing this issue demands a concerted effort from hardware manufacturers, software library providers, programmers, system integrators, and standards bodies. It is a multi-faceted challenge requiring ongoing vigilance and collaboration.

An attacker can craft a malicious application to exploit CVE-2023-4969, leading to unauthorized access to sensitive data. This could result in the leakage of private information from one GPU kernel to another, a severe breach in any data-sensitive environment.

The revelation of LeftoverLocals by Tyler Sorenson and the Trail of Bits team is a wake-up call. It underscores the need for a unified response from the tech community. Vendors and the Khronos Group, responsible for developing open standards like OpenCL, have begun coordinating efforts for disclosure and resolution.